You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Pelle Johansson <mo...@morth.org> on 2004/10/29 11:27:34 UTC
Local repository problems
Hello, I'm having some trouble with a file:// repository.
First of all, there doesn't seem to be any way to restrict read access.
Basically if you can read the db you have read access to the whole
repository. I realise I'd have to run svn setuid for anything else to
work, but am I missing something or is this not implemented yet?
Second svn honors the --username when accessing the repository. I like
that, but there seems to be no way to check the password? As it
currently stands, it seems you can impersonate anyone using this.
Should I setup apache even for local access? (currently only running
apache 1.3 so will be some work).
--
Pelle Johansson
<mo...@morth.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Local repository problems
Posted by Max Bowsher <ma...@ukf.net>.
Pelle Johansson wrote:
> Hello, I'm having some trouble with a file:// repository.
>
> First of all, there doesn't seem to be any way to restrict read access.
> Basically if you can read the db you have read access to the whole
> repository. I realise I'd have to run svn setuid for anything else to
> work, but am I missing something or is this not implemented yet?
Not implemented, (and realistically unlikely to ever be).
> Second svn honors the --username when accessing the repository. I like
> that, but there seems to be no way to check the password? As it
> currently stands, it seems you can impersonate anyone using this.
>
> Should I setup apache even for local access? (currently only running
> apache 1.3 so will be some work).
If you can arrange to only need to restrict read access at the granularity
of repositories, you could use svn+ssh:// instead, which would be more
lightweight.
If you cannot, then yes, apache is the only solution.
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Local repository problems
Posted by Andrew Arnott <an...@gmail.com>.
> First of all, there doesn't seem to be any way to restrict read access.
> Basically if you can read the db you have read access to the whole
> repository. I realise I'd have to run svn setuid for anything else to
> work, but am I missing something or is this not implemented yet?
Absolutely there is! If you want to grant read access to just certain
directories in the repository, you can use AuthzSVNAccessFile within
Apache. From the book:
http://svnbook.red-bean.com/svnbook-1.0/ch06s04.html#svn-ch-6-sect-4.4.2
"It's possible to set up finer-grained permissions using a second
Apache httpd module, mod_authz_svn. This module grabs the various
opaque URLs passing from client to server, asks mod_dav_svn to decode
them, and then possibly vetoes requests based on access policies
defined in a configuration file."
Read more from that URL to find out how it works.
> Second svn honors the --username when accessing the repository. I like
> that, but there seems to be no way to check the password? As it
> currently stands, it seems you can impersonate anyone using this.
Have you even set passwords for your users? Hmm.. Maybe you have, but
the module is set up wrong. If you go through Apache, the
authentication can be run through that. If the configuration is
right, it won't let you freely impersonate without a password.
> Should I setup apache even for local access? (currently only running
> apache 1.3 so will be some work).
Local as in just one machine is all that's using the repository?
Hmmm... Maybe Apache is overkill. But then, I've never configured
Subversion to work with authentication without using Apache. So maybe
you'll need it.
Andrew Arnott
Web Developer
Brigham Young University
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org